Description of problem: Secondary LDAP group go missing from 'id' command on RHEL 7.8 with sssd-1.16.2-37.el7_8.1 Version-Release number of selected component (if applicable): sssd-1.16.2-37.el7_8.1.x86_64 How reproducible: Always on RHEL 7.8 Steps to Reproduce: 1. Configure sssd and point it to LDAP server with 'id_provider = ldap' mode. 2. Run 'id ldapusername' command. 3. Secondary groups would go missing from 'id' output after 25-30 mins. Actual results: Secondary groups go missing from 'id' output after 25-30 mins. Expected results: Secondary groups should always be visible in 'id' output. Additional info: Same SSSD configuration works very well with older version of sssd on RHEL 7.7 (tested with sssd-1.16.4-21.el7.x86_64).
Upstream ticket: https://github.com/SSSD/sssd/issues/5261
Accepted 1-16 upstream PR: https://github.com/SSSD/sssd/pull/5281
Versions: Server Configuration: ===================== 1. Setup openldap-server such that there are spaces in member entry dn: cn=group1 member: cn=user1, ou=people, dc=example,dc=com memberUid: user1 gidNumber: 20001 objectClass: top objectClass: groupOfNames objectClass: posixGroup structuralObjectClass: posixGroup cn: group1 entryUUID: e59182d0-75a3-103a-9b63-653597a2aaa1 creatorsName: cn=manager createTimestamp: 20200818133851Z entryCSN: 20200818133851.585572Z#000000#000#000000 modifiersName: cn=manager modifyTimestamp: 20200818133851Z # group1, groups, example.com dn: cn=group1,ou=groups,dc=example,dc=com member: cn=user1, ou=people, dc=example,dc=com memberUid: user1 gidNumber: 20001 objectClass: top objectClass: groupOfNames objectClass: posixGroup cn: group1 2. Create a posix user1 entry as shown below in ldap server # user1, people, example.com dn: cn=user1,ou=people,dc=example,dc=com cn: user1 objectClass: shadowAccount objectClass: posixAccount objectClass: organizationalPerson loginShell: /bin/bash uidNumber: 10001 gidNumber: 10001 gecos: user1 sn: user1 homeDirectory: /home/user1 uid: user1 Client configuration: [sssd] config_file_version = 2 services = nss,pam domains = LDAP debug_level = 9 [domain/ldap] id_provider = ldap cache_credentials = true ldap_uri = ldap://vm-idm-009.lab.eng.pnq.redhat.com ldap_search_base = dc=example,dc=com ldap_group_search_base = ou=groups,dc=example,dc=com ldap_tls_cacertdir = /etc/openldap/certs ldap_default_bind_dn = cn=manager ldap_default_authtok = xxxxx ldap_default_authtok_type = password ldap_schema = rfc2307bis debug_level = 9 [nss] filter_groups = root filter_users = root debug_level = 9 [pam] debug_level = 9 1. Remove cache , restart sssd and verify group1 shows up in id command. sytemctl stop sssd; rm -rf /var/lib/sss/{mc,db}/*; systemctl start sssd [root@vm-idm-012 sssd]# getent group -s sss group1 group1:*:20001:user1 [root@vm-idm-012 sssd]# id user1 uid=10001(user1) gid=10001(user1) groups=10001(user1),20001(group1) Logs: (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=group1)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=groups,dc=example,dc=com]. (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 4 (2020-08-28 19:42:52): [be[ldap]] [sdap_op_add] (0x2000): New operation 4 timeout 6 (2020-08-28 19:42:52): [be[ldap]] [sdap_process_result] (0x2000): Trace: sh[0x560ff3a115b0], connected[1], ops[0x560ff3a2ac50], ldap[0x560ff3a09630] (2020-08-28 19:42:52): [be[ldap]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (2020-08-28 19:42:52): [be[ldap]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=group1,ou=groups,dc=example,dc=com]. (2020-08-28 19:42:52): [be[ldap]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (2020-08-28 19:42:52): [be[ldap]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (2020-08-28 19:42:52): [be[ldap]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (2020-08-28 19:42:52): [be[ldap]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (2020-08-28 19:42:52): [be[ldap]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (2020-08-28 19:42:52): [be[ldap]] [sdap_process_result] (0x2000): Trace: sh[0x560ff3a115b0], connected[1], ops[0x560ff3a2ac50], ldap[0x560ff3a09630] (2020-08-28 19:42:52): [be[ldap]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (2020-08-28 19:42:52): [be[ldap]] [sdap_op_destructor] (0x2000): Operation 4 finished (2020-08-28 19:42:52): [be[ldap]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (2020-08-28 19:42:52): [be[ldap]] [sdap_nested_group_hash_insert] (0x4000): Inserting [cn=group1,ou=groups,dc=example,dc=com] into hash table [groups] (2020-08-28 19:42:52): [be[ldap]] [sdap_nested_group_process_send] (0x2000): About to process group [cn=group1,ou=groups,dc=example,dc=com] (2020-08-28 19:42:52): [be[ldap]] [sysdb_cache_search_users] (0x2000): Search users with filter: (&(objectCategory=user)(originalDN=cn=user1,ou=people,dc=example,dc=com)) (2020-08-28 19:42:52): [be[ldap]] [sysdb_cache_search_users] (0x2000): No such entry (2020-08-28 19:42:52): [be[ldap]] [sysdb_cache_search_groups] (0x2000): Search groups with filter: (&(objectCategory=group)(originalDN=cn=user1,ou=people,dc=example,dc=com)) (2020-08-28 19:42:52): [be[ldap]] [sysdb_cache_search_groups] (0x2000): No such entry (2020-08-28 19:42:52): [be[ldap]] [sdap_nested_group_split_members] (0x4000): [cn=user1, ou=people, dc=example,dc=com] is a user (2020-08-28 19:42:52): [be[ldap]] [sdap_nested_group_process_send] (0x2000): Looking up 1/1 members of group [cn=group1,ou=groups,dc=example,dc=com] (2020-08-28 19:42:52): [be[ldap]] [sdap_nested_group_process_send] (0x2000): Members of group [cn=group1,ou=groups,dc=example,dc=com] will be processed individually (2020-08-28 19:42:52): [be[ldap]] [sdap_print_server] (0x2000): Searching 10.65.206.143:389 (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=posixAccount)][cn=user1, ou=people, dc=example,dc=com]. (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (2020-08-28 19:42:52): [be[ldap]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5 (2020-08-28 19:42:52): [be[ldap]] [sdap_op_add] (0x2000): New operation 5 timeout 6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4074
Pushed PR: https://github.com/SSSD/sssd/pull/5262 * `master` * 88631392e9172ae4fa3e411398516a2f39f0060e - intg: allow member DN to have a different case * 50d0d154cedb6915ab321b47c40851c40e91cf41 - ldap: use member DN to create ghost user hash table * fe0f1e64e8a77dadde699495c7eb368ce61ac992 - UTIL: Use sss_sanitize_dn where we deal with DN 2 * 21b9417e14ce35a2548c309642325ac43103d51e - UTIL: Use sss_sanitize_dn where we deal with DN * 093061f553ab0a2c316794221e79779fb1bd40d2 - UTIL: DN sanitization
Pushed PR: https://github.com/SSSD/sssd/pull/5281 * `sssd-1-16` * e5ae7bab88603fd64a27bcf59d4bba1503835ad0 - intg: allow member DN to have a different case * a63a22284d85d54514247549e94212e466b5c93c - ldap: use member DN to create ghost user hash table * f31005a076fa470d3b1a1b6117f306355ae6d97b - UTIL: Use sss_sanitize_dn where we deal with DN 2 * a960d66daaa1e0fb0602958452c6b40ee714f3b2 - UTIL: Use sss_sanitize_dn where we deal with DN * a20e08524d58c52ebfb5b971b361a91d911825cf - UTIL: DN sanitization